New National Security Approach Lets Electronic Spy Agency Play Cyber-Offence

Ralph Goodale, Minister of Public Safety and Emergency Preparedness, Jody Wilson-Raybould, Minister of Justice, Harjit Sajjan, Minister of National Defence, and Diane Lebouthillier, Minister of National Revenue, make a national security-related announcement at the National Press Theatre in Ottawa on Tuesday, June 20, 2017. (THE CANADIAN PRESS/Sean Kilpatrick)

OTTAWA – Canada is going all-in when it comes to cyberwarfare.

Weeks after giving the military permission to start developing cyberweapons and other offensive capabilities, the Trudeau government wants to issue a similar directive to Canada’s electronic spy agency.

New national security legislation unveiled by the Liberals on Tuesday would, among other things, let the Communications Security Establishment launch cyberattacks against foreign targets.

Those would include potential threats ranging from hackers and terrorists to countries and governments.

The 70-year-old agency’s existing mandate includes protecting computer systems that are deemed critical by the federal government, and only allows for the collection of information from foreign targets.

Those responsibilities would continue under the proposed legislation.

The changes being introduced by the government are necessary to protect Canada in the 21st century, said Defence Minister Harjit Sajjan, who is responsible for overseeing the agency.

“Currently we only have a defensive shield,” Sajjan told a news conference. “We have to wait to be hit.”

The spy agency is also being tapped to help the Canadian military when it comes to developing the latter’s ability to fight online, which was included as part of the Liberal government’s recently released defence policy.

Taken together, the new measures for CSE and the military mark Canada’s late entrance into a realm of warfare already occupied by its Five Eyes intelligence allies and potential foes such as Russia and China — and whose importance is only growing.

CSE, for example, warned last week that cyberthreats to democratic processes around the world are on the rise, and that Canada will face the risk of cyberattacks during the next federal election in 2019.

U.S. Admiral Michael Rogers, commander of the American military’s Cyber Command and director of the National Security Agency, told the U.S. Senate last month that “the pace of international conflict in cyberspace threats has intensified over the last few years.”

But it’s also a realm that is extremely complicated and in flux, as governments around the world grapple with the rules and limits of cyberwarfare.

Public Safety Minister Ralph Goodale, who introduced the proposed legislation, said offensive operations will need advance approval from the defence minister and a new intelligence commissioner.

A new committee will also review the actions of CSE and several other agencies each year, while the agency will be forbidden from targeting Canadians, anyone in Canada or any Canadian networks.

And the proposed law forbids CSE from hurting or killing anyone through its online actions, or making any intentional effort “to obstruct, pervert or defeat the course of justice or democracy.”

One key question is the degree to which Canadians will be notified about what sort of cybermeasures the spy agency and military are engaged in, including attacks on extremist groups and other countries.

Sajjan acknowledged that actual details of any attack will likely be extremely scarce for the public.

“Just like any other type of operation, it goes through a very strict process and obviously for national security reasons, we can’t outline a lot of the work that is being done,” he said.

“I think Canadians do understand that.”

NDP public safety critic Matthew Dube said he was worried the safeguards built into the legislation wouldn’t be enough to ensure CSE’s new powers were being used appropriately.

“The government must explain how they intend to prevent the leaking of cyberweapons into the wrong hands,” he added, “as we saw last month with the global attack based on a vulnerability stolen from an NSA stockpile.”

Hackers reportedly stole a large amount of cyberweapons from the NSA in April, one of which was later used in May to launch the WannaCry attack, which struck different parts of Europe and Asia.